Wednesday, December 14, 2016

1:40911 MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this sednit rootkit alert didn't include documentation.

1 40911 MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt"; flow:to_server,established; urilen:11; content:"/search.php"; fast_pattern:only; http_uri; content:"as_ft="; http_client_body; content:"as_q="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/471fbdc52b501dfe6275a32f89a8a6b02a2aa9a0e70937f5de610b4185334668/analysis/1480953133/; classtype:trojan-activity; sid:40911; rev:1; )


If I had to guess I think it's related to the Sednit hacking group and perhaps a rootkit they developed or something similar which stated.

the notorious Sednit hacking group which has targeted over 1000 high-profile individuals with phishing attacks and zero-day exploits. The Sednit gang, also known as APT28, Fancy Bear, Pawn Storm and Sofacy, are highly experienced, and have been engaged in criminal activity since at least 2004. They have developed sophisticated attacks that bypass the typical network security at compromised organizations.
Another blog mentioned The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server.
The virus total link above shows several generic hits like TROJ_SEDNIT, Rootkit.BlackEnergy, Trojan-Dropper.Win32.Agent, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment